@PinYunYes: Are you sure you know how to use Shadowrocket? Most people's usage: Open App → Import subscription → Tap connect. Then leave it alone. Until one day Alipay spins, WeChat transfer freezes, banking app crashes. First reaction: phone is old. Actually not. It's because no split tunneling. All traffic goes through proxy...

Are You Sure You Know How to Use Shadowrocket?

Most people do this: open the app → import a subscription → tap connect. Then they just leave it alone.

Until one day, Alipay spins, WeChat transfers freeze, or a banking app crashes immediately. First reaction: my phone is old.

Actually, it’s not. They didn’t set up routing rules. All traffic goes through the proxy — when you open Taobao in China, the data flies to Tokyo first and then comes back. It would be weird if it didn’t lag.

Importing a subscription without adding any rules is the most common pitfall.

Shadowrocket has three rule types:

• DIRECT: Chinese sites go directly without using the proxy
• PROXY: Blocked domains go through the proxy
• REJECT: Ads and trackers are denied outright — the app can’t even send a request

Most people have an empty rule list. Sites that should go DIRECT go through the proxy, and things that should be rejected are let in.

GMOogway’s lazy configuration — set it up and forget about it.

Step 1: An 18-line minimal configuration loaded remotely:

Shadowrocket → Config → Remote File → Add

https://raw.githubusercontent.com/GMOogway/shadowrocket-rules/master/docs/03.shadowsocks_tiny.conf

Step 2: Paste in these three modules:

• Direct Module: 110,000 Chinese domains — banks, payments, government sites go DIRECT automatically

  https://raw.githubusercontent.com/GMOogway/shadowrocket-rules/master/sr_direct_list.module
  

• Proxy Module: 27,000 foreign domains — Google, YouTube, Twitter, Telegram use the proxy automatically

  https://raw.githubusercontent.com/GMOogway/shadowrocket-rules/master/sr_proxy_list.module
  

• Reject Module: 160,000 ad and tracker domains — rejected at the DNS level

  https://raw.githubusercontent.com/GMOogway/shadowrocket-rules/master/sr_reject_list.module
  

GitHub Actions runs an update automatically every day, so the rules are always fresh. You never need to manually add a single domain.

TUN mode requires proper rule ordering — the order matters.

The default HTTP proxy only handles HTTP traffic. A banking app uses direct TCP connections, so the HTTP proxy can’t control it.

When you enable TUN, Shadowrocket creates a virtual network interface that intercepts all traffic. But without direct rules, the banking app will detect the proxy and refuse to run.

So the correct order: first install the direct rules → then enable TUN. Do it the other way around and you’ll get kicked out by the bank.

Many people haven’t enabled ad blocking.

The reject module intercepts ad requests at the DNS layer with 160,000 rules. It’s different from a browser extension — it’s not filtering; the app never even receives ad data. Apps actually open faster.

deezertidal also provides over 100 app modules:

• Bilibili unlock HD, Baidu Netdisk speed boost, Color Weather SVIP, TikTok ad removal, YouTube ad removal, Weibo/Zhihu ad removal. They don’t conflict with the rules — just add them on top.

Complete workflow:

1. Load the GMOogway 18-line config (remote file)
2. Add the direct/proxy/reject modules
3. Import your subscription
4. Enable TUN mode
5. Optionally add app modules (ad blocking/unlocks)

Manually adding domains — after three months you’ll find you can never catch them all. Paste in three URLs and you can forget what the rules page even looks like.

If you’re currently routing everything through the proxy, spend ten minutes and set this up. You’ll never have to touch it again.

Source: https://raw.githubusercontent.com/GMOogway/shadowrocket-rules/master/docs/03.shadowsocks_tiny.conf

[General]
bypass-system = true
# Keep local network ranges from going through the proxy
skip-proxy = 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, localhost, *.local, captive.apple.com
tun-excluded-routes = 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 255.255.255.255/32, 239.255.255.250/32
# For security: use encrypted DNS (DoH), replace with your trusted service; if you insist on system, you can keep it
dns-server = https://cloudflare-dns.com/dns-query, https://dns.google/dns-query, https://dns.alidns.com/dns-query
# Keep IPv6 disabled (unless you really need it and have IPv6 rules ready)
ipv6 = false
prefer-ipv6 = false
# DNS fallback policy: avoid sending queries through the proxy when local DNS fails
dns-fallback-system = false
dns-direct-system = false
dns-direct-fallback-proxy = false
icmp-auto-reply = true
always-reject-url-rewrite = false
private-ip-answer = true

[Rule]
# Enable GeoIP country-based direct access
GEOIP,CN,DIRECT
FINAL,PROXY

[MITM]
enable = false